[jira] [Commented] (TOMEE-734) Tomcat Session Fixation Protection cause lost SessionContext

chunlinyao (JIRA) Mon, 14 Jan 2013 23:34:19 -0800

    [ 
https://issues.apache.org/jira/browse/TOMEE-734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13553570#comment-13553570
 ]


chunlinyao commented on TOMEE-734:
----------------------------------

Maybe disable sessionid change is not security than support it in tomee.
                
> Tomcat Session Fixation Protection cause lost SessionContext
> ------------------------------------------------------------
>
>                 Key: TOMEE-734
>                 URL: https://issues.apache.org/jira/browse/TOMEE-734
>             Project: TomEE
>          Issue Type: Improvement
>            Reporter: chunlinyao
>            Priority: Minor
>
> Session Fixation Protection will change sessionId upon user login. 
> CdiAppContextsService track sessionContext by session.getId(). So even the 
> session hasn't change the sessionId changed will cause sessionContext not 
> found.
> For some use case, if a user added some item to shopping cart. If the 
> shopping cart is stored in sessionScope after login the shopping cart will be 
> empty.
> Can we store the original sessionId in session, and retrive it later?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (TOMEE-734) Tomcat Session Fixation Protection cause lost SessionContext

Reply via email to